FA-LLLing for RSA: Lattice-based Fault Attacks against RSA Encryption and Signature

Abstract

At CT-RSA 2022, it was shown that combining the power of lattice reduction algorithms with that of fault injection allows not only to carve new attack paths, as previously known, but also to pave existing ones, so to speak. Indeed, using faulty results to build an instance of the Hidden Number Problem, and eventually solving it, can allow an attacker to consider less restrictive fault models than before. In this article, we introduce two new fault attacks on both RSA encryption and signature using this approach. Our lattice-based attack can require as few as 2 faulty ciphertexts and signatures respectively to reveal the hidden secrets with a 32-bit random fault model. At the other end of the fault model spectrum, our attack is still successful considering a very permissive fault model where the attacker can randomly alter up to 98% of the targeted value.